Announcement

Collapse
No announcement yet.

ASA 5505-PFSENSE IPSEC working only in one direction

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505-PFSENSE IPSEC working only in one direction

    Hello,

    I've configured a cisco 5505 to a pfsense ipsec vpn. Traffic from the pfsense subnet (192.168.1.0) to the ASA subnet (192.168.2.0) is working perfect but traffic from the asa is sent out to the internet instead of through the tunnel. The configuration of the asa i have used for many more routers, so I must be missing some detail.

    Both firewalls are behind a fritbox with NAT enabled.

    The fritz box on the asa side is 192.168.178.1.

    I have tried looking at the show nat and show access-lists counters and the nat counter of the internet increased of course but could not find any clue.

    I hop e you can help me, any help appreciated, kind regards Marc.

    ASA Version 9.0(1)
    !
    hostname CISCO


    names
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.178.22 255.255.255.0
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 8.8.8.8

    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    access-list outside-access-in extended permit icmp any any
    access-list outside_cryptomap extended permit ip object obj-192.168.2.0 object obj-192.168.1.0
    access-list outside_cryptomap extended permit icmp object obj-192.168.2.0 object obj-192.168.1.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0
    !
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside-access-in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.178.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 83.163.220.20
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.2.200 255.255.255.255 inside
    ssh 192.168.2.100 255.255.255.255 inside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 20
    console timeout 0

    dhcpd dns 8.8.8.8
    dhcpd auto_config outside
    !
    dhcpd address 192.168.2.100-192.168.2.131 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 5.200.6.34 source outside

    tunnel-group 83.163.220.20 type ipsec-l2l
    tunnel-group 83.163.220.20 ipsec-attributes
    ikev1 pre-shared-key *****
    !
    !
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:60e8ca7b2957e317cd41f8150a305dda
    : end
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable



    sh crypto ipsec sa
    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 192.168.178.22

    access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    current_peer: 83.163.220.20

    #pkts encaps: 219, #pkts encrypt: 219, #pkts digest: 219
    #pkts decaps: 223, #pkts decrypt: 223, #pkts verify: 223
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 219, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: 192.168.178.22/4500, remote crypto endpt.: 83.163.220.20/61528
    path mtu 1500, ipsec overhead 66(44), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: C53E78DC
    current inbound spi : 663ED935

    inbound esp sas:
    spi: 0x663ED935 (1715394869)
    transform: esp-3des esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
    slot: 0, conn_id: 4096, crypto-map: outside_map
    sa timing: remaining key lifetime (sec): 3374
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
    spi: 0xC53E78DC (3309205724)
    transform: esp-3des esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
    slot: 0, conn_id: 4096, crypto-map: outside_map
    sa timing: remaining key lifetime (sec): 3374
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001

    traceroute 192.168.1.11

    Type escape sequence to abort.
    Tracing the route to 192.168.1.11

    1 192.168.178.1 0 msec 0 msec 0 msec
    2 e320lns-eup1.netcologne.de (195.14.226.6) 20 msec 10 msec 20 msec
    3 87.79.16.193 20 msec 20 msec 10 msec
    4 core-eup1-vl514.netcologne.de (78.35.33.201) 20 msec * *
Working...
X